{"id":"MAL-2026-5723","summary":"Malicious code in @ci-lifecycle-test/postinstall-ping (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509)\nThe package's postinstall lifecycle script (postinstall.js) executes automatically on `npm install` and POSTs the JSON-serialized contents of the entire process.env to https://eoarlb39lor5s7x.m.pipedream.net. The fetch is wired with `.catch(() =\u003e {})` so the exfiltration fails silently and produces no installer-visible error. On CI runners and developer machines, process.env routinely holds high-value secrets (GITHUB_TOKEN, NPM_TOKEN, AWS_ACCESS_KEY_ID/SECRET_ACCESS_KEY, CI provider tokens, arbitrary deploy credentials), all of which are shipped to the attacker-controlled Pipedream webhook in a single bulk dump. There is no license-check, telemetry-disclosure, or other legitimate reason to enumerate the entire environment; the indiscriminate serialization combined with a third-party webhook destination is the canonical install-time credential-harvest shape.\n","modified":"2026-06-13T02:31:43.674041705Z","published":"2026-06-13T02:10:32Z","database_specific":{"malicious-packages-origins":[{"sha256":"47c5e4ee38e9d87c1968c83d8998cb9832d2e72445558ac35217671f1f61d64b","modified_time":"2026-06-13T02:10:33Z","import_time":"2026-06-13T02:23:23.363417093Z","id":"IN-MAL-2026-006274","versions":["1.0.0"],"source":"amazon-inspector"},{"import_time":"2026-06-13T02:23:23.251089716Z","modified_time":"2026-06-13T02:10:32Z","source":"amazon-inspector","sha256":"75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509","versions":["1.0.0"],"id":"IN-MAL-2026-006273"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/@ci-lifecycle-test/postinstall-ping/v/1.0.0"}],"affected":[{"package":{"name":"@ci-lifecycle-test/postinstall-ping","ecosystem":"npm","purl":"pkg:npm/%40ci-lifecycle-test%2Fpostinstall-ping"},"versions":["1.0.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"ips":["10.1.0.2","54.164.250.243","104.16.0.34"],"evidence_files":[{"tlsh":"e3c02b6f110f46001d91d78430b0070dc3138b038bc25ce803e044c43f8da78041a0fc","sha256":"dad59be901002b66c9c41859bbccaf0c8c123707b28b67620f89db9af30bff3a","path":"postinstall.js"}],"package_integrity":[{"filename":"postinstall-ping-1.0.0.tgz","hashes":{"sha1":"8af802df25614422c3dcc1a94f7e6db260e8e04e","sha512_sri":"sha512-9YeAUD2R5/KnxUN4MW340/q4dSb0P/CQ4LTYW9R3/v2Ad2DwEsZpPMx5xC4ROlzZtN7q5kk/G+AIEw0F46eHPg=="}}],"domains":["eoarlb39lor5s7x.m.pipedream.net"]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/@ci-lifecycle-test/postinstall-ping/MAL-2026-5723.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}